Leif M. Wright's Blog Remote Command Execution
Summary
Leif M. Wright's Blog is "a very simple blog program that can be used to entering, editing deleting blog entries, uploading jpeg images embedded into the blog entry, uploading mpeg movies linked from the blog entry, Readers can enter comments on blog entries, which blog owner gets to approve before they're posted". A vulnerability in the product allows remote attackers to cause the product to execute arbitrary code.
Details
Vulnerable Systems:
* Blog version 1.1.5
Immune Systems:
* Blog version 1.5.2
Exploit:
By sending the following URL to a vulnerable server it is possible to test whether you server is vulnerable or not:
http://address/directory/blog.cgi?submit=ViewFile&month=[month]&year=[year]&file=|command|
(
geocities.com/ijookeren)